com.cms.crypto
Class SignedDataProcessor

java.lang.Object
  com.cms.crypto.SignedDataProcessor

public class SignedDataProcessor
extends java.lang.Object

Signs a plaintext message (the "content") for one or more signers, each with their own digest algorithm and private key associated with a public key certificate. Optionally conveys a set of one or more digital certificates and certificate revocation lists (CRLs) and a set of one or more unauthenticated attributes.

ASN.1 type SignedData is defined in IETF RFC 3852:2004 as:

 SignedData ::= SEQUENCE {
    version           CMSVersion,
    digestAlgorithms  DigestAlgorithmIdentifiers,
    encapContentInfo  EncapsulatedContentInfo,
    certificates      [0] IMPLICIT CertificateSet  OPTIONAL,
    crls              [1] IMPLICIT RevocationInfoChoices  OPTIONAL,
    signerInfos       SignerInfos
 }
 
 The components of type SignedData have the following meanings:
 
 version                    An integer version number of the synta definition.
 
 digestAlgorithms       The set of message digest algorithms used by the signers.
                                        This is a hint of the algorithms to be expected in the
                                        signerInfos to follow.  Effectively ignore this field.
 
 encapContentInfo An identifier of the type of content signed and the content
                                        that was signed.
 
 certificates     An optional set of one or more digital certificates. When
                  present, this set may contain more certificates or less than
                  needed to verify the signature on the signed data or less.
 
 crls             An optional set of one or more X.509 certificate revocation 
                  lists (CRLs) or other certificate type revocation object.
                  When present, there may be more revocation objects or less 
                  than needed to determine whether or not a signer certificate
                  is valid.
                     
 signerInfos      A set of information for each signer of the content. Each
                                        SignerInfo must be processed.  Each SignerInfo may have
                                        different hash and signature algorithms, etc.
 

Message Digest and Signature Process

A message digest is used to create the digital signature carried in the SignerInfo component of SignedData. The message digest is calculated using the algorithm and parameters specified in the digestAlgorithm component of SignerInfo, and the value of the eContent component of EncapsulatedContentInfo. The eContentType component of EncapsulatedContentInfo identifies the type of value being signed ( id-data, id-encrypteddata, id-envelopeddata, etc. )

When a value of type SignedData is represented as XML markup, the starting and ending eContent tags ( and ) are excluded from the message digest process. Only the "value" portion of the complete canonical XER encoding of eContent is digested.

The result of the message digest process is then digitally signed using the signers private key and the signature algorithm and parameters specified in the signatureAlgorithm component of SignerInfo. The result of the signing process becomes the value of the 'signature' component of the SignerInfo component of SignedData.

Version:

1.00 - 2006/02/28

Author:

support@phillipgriffin.com

Constructor Summary

SignedDataProcessor(CMSVersion version, Codec codec)
Constructor for SignedDataProcessor with syntax version and ASN.1 encoding rules parameters.

SignedDataProcessor(CMSVersion version, Codec codec, SignerIdentifier signerIdentifier, java.security.PrivateKey privateKey, DigestAlgorithmIdentifier digestAlgorithm, SignatureAlgorithmIdentifier signatureAlgorithm)
Constructor for SignedDataProcessor with message syntax, encoding rules, signer identifier, signing key, and digest and signature algorithm parameters.

Method Summary

SignedData	sign(byte[] data, ContentType contentType, ASN1OctetString certificates, ASN1OctetString crls, SignedAttributes signedAttributes, UnsignedAttributes unsignedAttributes) If the content type is ID_DATA (ordinary data and not a nested CMS type) and there are NO signed attributes, the content is signed directly.
boolean	verify(SignedData signedData, PublicKeyLookup keyLookup) Verify the signature on the signed content.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignedDataProcessor

public SignedDataProcessor(CMSVersion version,
                           Codec codec,
                           SignerIdentifier signerIdentifier,
                           java.security.PrivateKey privateKey,
                           DigestAlgorithmIdentifier digestAlgorithm,
                           SignatureAlgorithmIdentifier signatureAlgorithm)

Constructor for SignedDataProcessor with message syntax, encoding rules, signer identifier, signing key, and digest and signature algorithm parameters.

Parameters:

version - syntax version number

codec - ASN.1 encoding rules

signerIdentifier - identifier of a content signer

privateKey - private key associated with a Public Key certificate

digestAlgorithm - a message digest algorithm information object identifier and any associated parameters

signatureAlgorithm - a signature algorithm identifier and any associated parameters

SignedDataProcessor

public SignedDataProcessor(CMSVersion version,
                           Codec codec)

Constructor for SignedDataProcessor with syntax version and ASN.1 encoding rules parameters.

Parameters:

version - integer version of the syntax

codec - type of ASN.1 encoding rules

Method Detail

sign

public SignedData sign(byte[] data,
                       ContentType contentType,
                       ASN1OctetString certificates,
                       ASN1OctetString crls,
                       SignedAttributes signedAttributes,
                       UnsignedAttributes unsignedAttributes)
                throws CryptoException

If the content type is ID_DATA (ordinary data and not a nested CMS type) and there are NO signed attributes, the content is signed directly. Otherwise, a value of ASN.1 type SignedAttributes is signed instead of just the content, and this set of attributes must include the MessageDigest and ContentType attributes.

In this case, the content is signed indirectly, since the MessageDigest attribute contains the hash of the content, and the signature on the signed attributes includes this hash.

Note that if the MessageDigest and ContentType attributes are not provided by the caller, these will be produced by the toolkit as part of the signature process.

Parameters:

data - the content to be signed

contentType - an identifier of the type of content to be signed

certificates - an optional set of public key certificates

crls - an optional set of Certificate Revocation Lists (CRLs)

signedAttributes - an optional set of one or more attributes to be signed, which need not but may contain the MessageDigest and ContentType attributes provided by the caller, since the toolkit will provide these if they are missing

unsignedAttributes - an optional set of one or more attributes that will not be protected by the SignedData signature

Returns:

a value of ASN.1 type SignedData

Throws:

CryptoException

verify

public boolean verify(SignedData signedData,
                      PublicKeyLookup keyLookup)
               throws CryptoException,
                      EncodingException,
                      DecodingException,
                      java.io.IOException

Verify the signature on the signed content.

Parameters:

signedData - a value of ASN.1 type SignedData

keyLookup - public key associated with the private key used to sign the content

Returns:

a signature verification indicator

Throws:

CryptoException

EncodingException

DecodingException

java.io.IOException